Skip to content

Chad’s 5 Home Computer Security Commandments

Posted by on 10 May 2012, 11:19 pm 
public class ManInTheMiddle extends Attack { //TODO: HACK }

You never know who in your neighborhood is up to no good.

Don’t let computer security and home data management overwhelm you. Take baby steps. When I made the initiative to secure our home computers I first tackled the wireless network by using a strong pass-phrase with WPA2 (AES if you have the option). Then I focused on getting backups that operated automatically saving my changes every few hours. Then I focused on locking down the computers.

1. Use a Router

Get a router for your home network. Don’t just hook your computer up to a cable or DSL modem. A router provides the first line of defense against the bad stuff. Some modems are routers. Check your computer’s IP address and if it is 192.168. something then you have a router (sometimes 10.something as well). To check to see how the world sees your connection visit: www.grc.com/shieldsup.

Be sure to disable UPnP and change your default SSID and admin password. There are hacks that can allow people access to your computer if you don’t change those settings. (If you have an XBox or PS2 that requires UPnP, search around for solutions, it is not a good thing to leave UPnP running. You can find solutions online for static port forwarding)

Finally, disable WPS (WiFi Protected Set-Up). For the reason why, see the WPS Note below. WPS is used so that you can press a button on your wireless router and sync a device such as a printer or phone to your network without having to enter a nasty (but secure!) pass-phrase. You only connect a device once, if you want to do it the easy way, turn WPS on, connect your device, then turn it off, at least until there is a fix.

WPS NOTE – January 9, 2012: There is a vulnerability in one of the options you have with WPS (WiFi Protected Set-Up), the method by which you can press a button on your router and sync a PIN to your phone or printer to easily connect. More information about the WPS issue can be found on the Small Net Builder website. Short of the matter is if you can disable WPS, do so. Unless you want to go the short route and connect devices to your home network with one button you don’t need it anyway. I am dismayed that a few vendors (Linksys/Cisco) do not have this option. I do hope router firmware is updated soon.

2. Use WPA2 on your Wireless Home Network

Secure your wireless network! This should really be number one, but in reality, if you don’t keep any one of these 5 commandments, it all crumbles. Make sure your wireless network is set to WPA2 and provide a good network passphrase (use a 63 character one!). Setting your Broadcast SSID to not broadcast or filtering by MAC address doesn’t really provide security. Use WPA2 (WPA2 w/ AES if you’ve got it) and a strong passphrase. WEP can be cracked in under a minute.

A good WPA passphrase looks like this:

ZYMNzZ96ccz086XQY7BQHVUGLVOu

If you are paranoid (like me) a better WPA passphrase looks like this:

umGBy4uTA59rLPDrFVLEiD1ozSN5B9P65CHLWo68FPzDm0Ac641ELoHZutU2rEx

If you are truely an insane paranoid individual (not like me) a really, really strong WPA passphrase looks like this:

47`$'&OY-]e>ghlB^IjZc1wrfsnWv0h^9qd\X9Kv/eUk1ODMxK|aOD~nw:<da{l

Why? Because computers are fast at trying all keys. An attack may start with 1, then try 2,…. AA, AB, AC….. GHEa, GHEA, etc. The longer you make it the longer it takes for the computer to try all of the possibilities.

It is the same as giving a hacker a key chain with a billion keys in which only one is a match to your house. Give them 10 keys and they will try all ten and figure it out quickly. But, give them a billion, they will say “forget this!” throw your key chain to the ground, and run to your neighbor’s house where the door is probably unlocked. GRC.com has a great random password page. Get one from there and save it in a text document on your computer. You only have to configure your network and devices once, so just copy and paste from that document, there is no sense in using a remember-able password. Just set it and forget it. (You’d forget the 8 character one anyway, might as well make it secure.)

WPA2 is not cracked: WPA2 is not cracked despite what you may read on some blogs, these are misconceptions and attention-getting headlines. Yes, it can be brute forced using a dictionary attack, but if you are using a long random pass-phrase (like a 63 character one) and not a word seen in the dictionary, you will remain secure. Also, the WPS (Wireless Protected Set-Up) vulnerability mentioned earlier on this page, is not part of WPA2. Once WPS is fixed, or if WPS is disabled on your router, you are back to being secure.

3. Get Virus Protection

Get virus protection and keep it up to date. If you are a University of St. Thomas Staff member virus protection is free through a program called Symantec Endpoint Protection. Download Symantec from the IRT Web site or contact IRT for details.

There are two FREE anti-virus programs that I recommend. Microsoft Security Essentials (www.microsoft.com/security_essentials) and Avast (www.avast.com). There are other supposedly free programs out there, but most are just scareware. (The pop up that comes up saying “You are infected download XYZ now” while you are browsing the internet is an example.)

No. I do not offer support for installing or maintaining programs.

4. Back-up your documents

This isn’t really security, but your documents and pictures (and MP3s) are very valuable to you. In the event of a computer crash, fire, natural disaster or theft you would hate to lose them. Store them in one location on your computer (My Documents or an external hard drive) and create regular back-ups. Get an external hard drive (about 500GB should be good) for your backups.

In addition to the backups you have on your external hard drive, I REALLY recommend off-site storage as well. In the event your computer is lost, stolen, taken by a tornado, or the back-ups didn’t work, it just gives you piece of mind when they are still safe in another location.

I recommend either Jungle Disk (www.jungledisk.com) or Carbonite (www.carbonite.com) for your off site backups. Again, I HEAVILY recommend (encrypted) off-site storage in one form or other just because of the possibilities of a natural disaster. Our town recently had a tornado devastating a neighborhood 20 blocks north of us. It really woke me up to the need of off-site storage. Also, when my back-up drive failed I could still sleep at night knowing that there was another backup I could rely on.

With backups, if you ever loose your data, or you get a virus and you need to wipe your computer clean, just reformat and re-install the backup. Be sure your backups are in good working order though. I’ve been bit once by a backup that was corrupt. I lost 9 months worth of pictures and video of our son when he was one. I now use a different backup structure and get stuff on DVDs more often.

5. Use Strong Passwords

Use a good password. There are password analyzers out there that will tell you if your password is weak, good, or great. Minimum is 8 characters, I would recommend 10 or more. Combine words and numbers, throw a period or dash in there for good measure. If you write them down, put them in a safe place, like a SAFE. There are password key chain applications out there, but make sure you are using a good one. Never let IE or Firefox store your passwords but I can recommend LastPass for your password management needs.

More About Security

I’m not an expert, but many of these tips I learn from my job, classes, and about 90% are from listening to Security Now! with Steve Gibson and Leo Laporte.

Filed under Chad Recommends, Home Tech and Security, IT Security. Tagged , , , , , , , , , , , , , ,
Comment

Verbally Walk Through User Steps

Posted by on 4 May 2012, 7:23 am

Often when I am working with a designer or vendor I have to put myself in the user’s position and ask myself, “is this simple?” Engineers and designers have the unique ability to be with a project from the ground up. They have spent hours (hopefully) going through the reasoning why something functions a certain way, is placed in a certain place, or is worded a particular way.

Users, on the other hand, show up with no prior knowledge and don’t want to put more than a moment’s thought into where things are “logically” located. They quickly want results or they will navigate to another site or succumb to the appeal of watching a squirrel out the window.

One check is to write down and verbally go through the steps for a critical task with another person and see if at any point you stop and go, “boy, that’s a ridiculous amount of steps.” Even if you are oblivious, hopefully the other person will interrupt you or start chasing squirrels at some point. (It’s not rude but rather a tell-tale sign that you lost them.)

Even some of the most functional sites and applications may have critical areas that need tweaking. I’ve often wondered myself, as I am bringing a client through the steps, if the designers ever actually used a particular function before committing it to production.

Take this example for a saved search that will automatically email users when new results are added to the system. The backstory is that saving and automatically emailing results on a set frequency was an often requested feature by users, so they do expect to be able to save and receive updates.

Read it mentally first, then read it out loud.

  1. Click on “Advanced Search”
  2. Enter a name for your search in the “Save Search As” text field
  3. Check the box next to “Save Search”
  4. Select search criteria
  5. Click on the “Perform Search” button and see results
  6. Go to the “Saved Search” tab
  7. Click on the name you gave your saved search
  8. Check the box for “Email Me Updates”
  9. Save
  10. Click on “Schedule” next to your search name
  11. Choose frequency (every three days, Monday and Thursdays only, etc)
  12. Save

Seriously, don’t just read it mentally, read it out loud. When reading it out loud what step did you get to before you said, “this is stupid”? There is a difference from blindly reading through or performing steps as a developer to actually verbalizing the steps.

Why? Because verbalizing is slower and wastes your time! If you are wasting your time, imagine what you are doing to your user who is not reading step by step instructions but is trying to figure out how to get to the next step which they may or may not know know about!

Imagine yourself as a user trying to figure out how to get to step 1 without prior knowledge.

As a user, figure out how to jump back to step 1 after performing a search you realize you would like to save.

One reason why this does not work (though there are many) is because it takes the user out of the task up to 3 times and requires the user to have knowledge about what area, hidden from view, to go to next.

So, as an exercise, let’s rethink this. The point of this exercise is to work towards a simpler solution. As with any design project there are many factors unique to the situation to take into account and therefore many solutions. The idea is to train yourself to think simply and put good user interface (UI) and user experience (UX) design into practice.

If, in this example, we have reason to have a separate advanced search tab rather than an expandable form that goes from simple to advanced when the user chooses, we should probably still have saving functionality built into the simple search form.

On either the simple or advanced form, we could have a check box for saving the search. Also, on the results page we should allow the user to save the search criteria that was just executed. This puts the idea of saving a search right in front of the user no matter at what point they realize they want to save the search. We just took care of step 1 in the previous walk-through and allowed the user to do something by impulse rather than thinking it through.

Once the user has submitted the request to save a search, either by checking the box from the search form, or clicking Save Search from a results page, we should allow the user the opportunity to name the search (or use a default of some descriptive search criteria) and additionally the option to receive an automatic email.

This removes the name field from the already complex search page and only presents it to the user once we know their intention is to follow through with saving. Why have them complete two steps to initiate the process? Get them in the door and then drill into their needs.

The final step is to automatically present the user with the additional option of frequency only after they have asked to receive email updates. This can be done by expanding the email option on the same form, or on a separate screen that the user arrives at after submitting the form.

So, now the steps are:

  1. Go to the search page
  2. Select save search (either from the form or results page)
  3. Fill out saved search info

The system now allows snap-judgement intuition to guide the user through the steps. All information presented is minimal and it is up to the user to determine how detailed they get in setting up the saved search.

Any marketing communication would have previously read:

For convenience, users can save their searches in our application. Just:

  1. Click on “Advanced Search”
  2. Enter a name for your search in the “Save Search As” text field
  3. Check the box next to “Save Search”
  4. Select search criteria
  5. Click on the “Perform Search” button and see results
  6. Go to the “Saved Search” tab
  7. Click on the name you gave your saved search
  8. Check the box for “Email Me Updates”
  9. Save
  10. Click on “Schedule” next to your search name
  11. Choose frequency (every three days, Monday and Thursdays only, etc)
  12. Save

(I only copy and paste the steps again to reiterate how dumb this is.)

Now marketing communication can simply say:

For convenience, users can save their searches in our application. Just perform a search and save!

There is no need to provide more detail because, if we did it right, the steps flow automatically.

The next job, from a design standpoint, is to watch feedback, traffic stats, etc. and continually tweak it for your own solution. Remember, design is iterative and is never complete.

Oh, and yes, this was a real-life 12 step example that I verbalized to a vendor step by step over the phone and then asked, “This doesn’t sound complicated?” The answer wasn’t inspiring.

Filed under Application, Web, and Media, Usability and User Experience. Tagged , , , , ,
Comment

Mobile web vs mobile app – taking Jakob Nielsen’s Feb 13, 2012 Alertbox article into account

Posted by on 13 February 2012, 6:32 pm

From the most recent Alertbox by Jakob Nielsen – Mobile Sites vs. Apps: The Coming Strategy Shift (February 13, 2012):

A last benefit of a mobile-site strategy is better integration with the full web. It’s much easier for others to link to a site than to integrate with a 3rd-party application. In the long run, the Internet will defeat smaller, closed environments.

(Apps may remain better for tasks that are intensely feature-rich applications, such as photo editing — whereas mobile sites will be better for design problems like e-commerce/m-commerce, corporate websites, news, medical info, social networking, etc. that are rich in content but don’t require intense data manipulation.)

I agree 100%. Also, if you read the top of the article he states:

As of this writing, there’s no contest: ship mobile apps if you can afford it.

In the communities I am a part of (small orgs) it is not affordable to code for Android, iOS, Windows Phone, etc. If you don’t have a business model that makes money, save it and put it towards a great desktop site, then enhance your mobile site (if your web traffic analytics show a mobile market share).  Then, if you are bringing in money and can afford to tackle the mobile apps for each device, do it if it still makes sense. If you don’t have a pay-wall or user login, and you don’t have advanced features and functions, and you don’t get money via the web, a mobile app still doesn’t make sense. Save your money, time, and resources.

The truth is, mobile web sites are cross platform and easier to support on small budgets. Each site and app you put out there you need to be able to back with support when issues and changes arise. How much can you afford to handle and maintain? My mom always said that if you have a big yard and you can’t do the yard work yourself and you can’t afford to have it hired done, get rid of it.

Filed under Application, Web, and Media, Usability and User Experience. Tagged , , ,
Comment

Is Go Daddy violating ICANN rules with 60-day lock? Probably not, but it ain’t nice

Posted by on 30 January 2012, 10:05 pm

I’m not alone and apparently many are trying to figure out whether or not Go Daddy is violating ICANN’s policy (see links below). According to ICANN they are not in violation, yet ICANN seems to be tweaking their policies to get at this issue. I think that since it requires so much interpretation and review, and because so much policy seems to get at this issue, the practice could be considered questionable. If it is for security Go Daddy’s policy falls apart when logically reviewed.

Again, Go Daddy claims they are able to put a lock on my domains because upon signing up a several years ago I agreed not to transfer away within 60 days of registration or transferring ownership of the domains. They state that if you update a contact first, last or org name they consider it a transfer to a new owner and will impose the lock. In the ICANN Policy on Transfer of Registrations Between Registrars (Part A Section 3) a transfer may be blocked by Go Daddy if:

#6 Express written objection to the transfer from the Transfer Contact. (e.g. – email, fax, paper document or other processes by which the Transfer Contact has expressly and voluntarily objected through opt-in means).

Sound familiar? Now I know where their text in the email denying me the request came from. This means if they put it in the terms that I agree to when registering, they can do this.

However, I swear I only updated the email address and there is no way to dispute and reverse the lock. If this were a security issue why would only updating the name cause the lock and not actual contact information (email, mailing address, phone)? It is purely to prevent transfer after some sort of perceived ownership change with no ability to file a dispute.

Here are some other posts I found relating to this:

According to the ICANN FAQ I am able to either contact the registrar I am transferring from (which I did with no luck) or contact the registrar I am transferring to. I will try this, if anything they can go through their channels if they feel there is a violation or if something needs to give.

Again, I want to reiterate, I am not out of money, there are no monetary damages so no, I can’t sue, all I am asking is to be able to state my case and reverse the lock on the domains. If this lock is to prevent people from stealing my domain without my knowledge then why in their policy am I able to change mailing, phone, and email, but not names? This is not security, this is bullying. God forbid I accidentally do something else that doesn’t please them and my account is locked for another 60-days because what I did I feel didn’t violate their policy to begin with.

Unless I have more luck with Hover.com getting the issue resolved on my behalf I am at the end of the road and need to wait until March to complete my transfers.

Filed under Application, Web, and Media. Tagged , , , ,
Comment

Use caution when transferring from Go Daddy to avoid a 60 day lock

Posted by on 29 January 2012, 12:48 am

I try to be happy and positive when online and not add to the trolls and negative content that seems so prevalent. If you’ve ready any comments on a news site, you know what I’m talking about. But I am so pissed off that I gotta vent.

If you need to know one thing in your effort to transfer domains away from Go Daddy, it is this:

Do not, under any circumstance, modify any field other than email OR use the “copy to all” function if you need to update the administrative email in the domain record in order to receive your transfer authorization code.

I do not believe I updated any field other than the email address, but I did use the copy to all option (billing, contact, etc) just to save time. I think that was my issue and now Go Daddy will not, under any circumstance, allow me to transfer my domain until March 24th. I called and there is no one, no function, no force, that can override this.

Let’s go back about 5 years when I originally signed up. Apparently there is a section in the agreement that if you sign up for Go Daddy you may not transfer your domain away within 60 days of updating your name or organization on the domain record. This constitutes as a change in ownership and they reserve the right to lock the domain for 60 days. This isn’t a “domain lock” which can be manually changed, this is a non-reversible lock for 60 days.

Advance ahead a few years, email addresses come and go, I keep my customer account information up to date, receive expiration notices for all domains, and continue on not thinking about updating my domain records. I even let the domain which housed the email address on the domain records lapse. I’d forgotten I used it as contact info.

Around last year I started getting uneasy about using Go Daddy. Their ads were sexist, I felt dirty (Catholic guilt, I guess), and no longer recommended them to friends or family. I also was getting frustrated because when ever I logged into to use the administrative control panel to update the apps, ftp, or perform other functions, I had a hard time getting past all the up-sales to get what I wanted done.

Frustration went on and on but the thought of moving 5 WordPress sites, and one MediaWiki site to another provider overwhelmed me. The files not so much, but the databases. Not to mention all the emails my family and I have accumulated. There was no clear way to download or export them from the Go Daddy servers (Gmail has a work-around for that which I will mention later).

This month, over the heightened talk of SOPA, and the revelation that Go Daddy was a supporter finally pushed me to move. I wasn’t going to be able to have time to make the move on the protest day, but I thought I could do it before the The Big Game so that when their ads offended me and others, I knew I could say I wasn’t a part of it.

So, beginning last week I went to Hover.com and started the transfer process. First I had to unlock the domain and remove the privacy guard. I believe I spent about $15 a year on the domain and an extra $19 a year on keeping my information private and with Hover I could transfer for just $10 and they include the privacy for free. Good, I’m saving money.

The final step is to receive the authorization code. This is a code that you request from Go Daddy and they will send it to the email address listed as the Administrative Contact for that domain. That was the first sign of trouble. All these years I received email regarding my domain, allowed Go Daddy to auto renew the accounts, and never realized how unkempt I let the contact info get. The email listed in the admin portion was at a domain I no longer owned. So I couldn’t even set up a quick alias if I wanted to. The other option was to update the email address. So I edited the contact information, hit confirm, and then to be tidy used the function to apply it to the Billing and Primary contact info as well. My name stayed the same, I don’t have an organization, so I can’t believe I would have modified any of that. Even if it was incorrect, why bother? I’ll confess I didn’t update the mailing address. My privacy is turned off, I’m not going to update my mailing address.

I did this for 3 of the 4 domains. One of them actually had the correct email address which was odd because I manage it for a friend of mine and wouldn’t have thought I would have kept it so up to date while letting the others fall to the side.

Moving the Email

Now, since one of the domains I was transferring included my family email accounts I needed to transfer email service away first otherwise I’d loose everything. I found out that the hosting service I was going to move to, DreamHost, allowed me to use Google Apps for my email. I could retain the family domain and instead of a @gmail.com email address we could keep the same one we were used to using. Plus Gmail made it easy to sync to our phones.

Earlier I had found out that Gmail can download email from other accounts into your Gmail account using POP. All I needed to do was change the domain name record to point to Gmail and Gmail would start receiving all the new mail, and then have Gmail access the old accounts on the other server and suck the emails out. Once the inboxes were cleared out, I moved the sent items into the inbox on the old server and had Gmail suck them in as well except under a Old Sent Items label. I’m still trying to figure out how to get them into Gmail’s sent items. Moving items into sent is not an option from the Move menu.

Requesting Authorization

Now I was ready to request the authorization code. I submitted my request and received a code for each domain. I entered them into Hover and the next day I received notification that the transfers failed. I also received separate communication from Go Daddy that the transfers are locked.

******************************************
REGISTRAR TRANSFER DENIED
******************************************
Dear Chad Kluck,

The transfer of [Redacted].[Redacted] from Go Daddy to another registrar could not be completed for the following reason(s):

Express written objection to the transfer from the Transfer Contact. (e.g. – email, fax, paper document or other processes by which the Transfer Contact has expressly and voluntarily objected through opt-in means).

The express written objection may be the result of a pending or recently completed Change of Registered Name Holder. This is an opt-in process during which the new Registered Name Holder agrees not to transfer for 60-days. This domain will be transferrable [sic] on 3/23/2012.

If you believe that this domain name does not fit the situation described above, go to   http://support.godaddy.com/?prog_id=GoDaddy&isc=gdbba35 for assistance.

Regards,
Go Daddy Domain Services

This didn’t make too much sense to me, but I figured I could start moving files and the databases over in the meantime while I sought to find time during normal business hours to give them a call. Plus the link provided is just a general support page.

So, I was able to download and then upload files one site at a day using FTP. I’d let a site download as I headed off to work, and then allowed it to upload overnight. 5 sites, 5 days just about. Saturday became the day to do the databases and they went quite smoothly. I exported them from PHPMyAdmin as SQL, and then turned around and imported them into the new databases. Got that done Saturday morning.

I then had time to research the issue of domain transfers. One completed as I didn’t touch the admin info, but I still had three left. I looked into it and found a page on Go Daddy’s support site that had been updated on January 24, 2012. My transfer request was denied January 23, 2012 at 8:44 p.m.

It states not to change the Name or Organization otherwise a 60-day lock will occur:

WARNING: You voluntarily agree to a 60-day lock that prevents you from transferring your domain name when you update the Organization field for the registrant contact, or when you update the First name and Last name fields for the registrant contact if an organization is not the legal registrant for your domain name.

This is reinforced on Hover.com’s support site:

A word of caution: Do not change the first name, last name, or organization contact in your contact information.  Go Daddy will enable a 60 day transfer lock because this is considered a domain ownership change.

To my knowledge I did not change the first, last, or organization contact. I had no reason to. The only thing I can think of is that I hit the button that applied the change to all contacts. Something may have been copied from the Admin contact over to the others causing the 60-day lock. I am 100% certain I did not change any names, only the email address.

So I call Go Daddy tell them what happened and that I would like the lock removed. The support person said they can’t do that.  I asked to speak with someone who could and was put on hold. When he came back he said all support people were on calls but he asked around and there is no one that can undo the 60-day lock. I asked if the lock was a GoDaddy policy or if other registrars did it. He said as far as he knew only Go Daddy did it. I was also informed that it was in the terms I agreed to when signing up therefore it may not have been presented to me when I was making my changes. (Even though I only changed the email address.)

My expression of dissatisfaction went something like this:

I’m looking at a page that was updated the day after I requested my transfer. Go Daddy is notorious for making things complicated when people want to leave.  I saw no notification of blocking the transfer when I updated the email address. This is just one more road block put in place to inconvenience me and others switching from Go Daddy. We both know the news, people are unhappy [perhaps a small percentage of Go Daddy's customer base, but a good number]. This is very convenient–for Go Daddy–to implement this lock.

Probably not that coherent, but something like that.

So, here I sit waiting for the lock to be lifted. Luckily I am not out of money, the domains are not expiring soon, so I do have time to wait. However, the idea of having a task hang over my head, having this transfer incomplete is killing me when I am just 3 authorization codes away from being done with Go Daddy. It really sucks.

Update (1/29/2012 1:39 a.m.): I found the following line in the Domain Name Registration Agreement (Last Revised: December 9, 2011) at Go Daddy:

You agree that you will not transfer any domain name registered through Go Daddy to another domain name registrar during the first sixty (60) days after its initial registration date. (Section 3. Term of agreement; transfers; domain tasting)

I still cannot believe there is no means to dispute this as any change that may have caused this block was incorrectly applied.

Update (1/30/2012 9:23 p.m. CST): I added another post about this with a few more references. Unless I have more luck with Hover.com getting the issue resolved for me I am at the end of the road and need to wait until March to complete my transfers.

Filed under Application, Web, and Media. Tagged , , , , , , ,
Comment
« Older Entries